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This report is confidential and is intended for use by the Directors of the ICO only. It forms part of our continuing dialogue with you. It should not be made available, in whole or in part, 
to any third party without our prior written consent. We do not accept responsibility for any reliance that third parties may place upon this report. Any third party relying on this report 
does so entirely at its own risk. We accept no liability to any third party for any loss or damage suffered or costs incurred, arising out of or in connection with the use of this report, 
however such loss or damage is caused. 


It is the responsibility solely of the ICO management to ensure that there are adequate arrangements in place in relation to risk management, governance and control. 
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1 Executive Summary 


1.1 Background Refer to Appendix B for definitions of internal audit opinion and 
Our review considered the ICO's arrangements for monitoring and recommendation ratings. 
implementing recommendations raised from internal audit reviews. 


1.4 Key findings 


1.2 Scope Siecle 
We reviewed the assurances available to the Audit Committee that is rocess - 

A er R : : Evidence of implementation - - 1 - 
recommendations are being implemented in a timely manner, following up Toal 4 


recommendations made in 2012-13 and 2013-14. 
1.5 Controls identified 
During our review we confirmed that the following controls have 
e The ICO's arrangements for following up audit recommendations may continued to operate during 2013-14: 

not be adequate resulting in recommendations not being completed on 

time and to a satisfactory standard, with the ICO remaining exposed to @ The Senior Corporate Governance Manager maintains a log of 


risks that are deemed to be unacceptable resulting in a lack of comfort outstanding audit recommendations, which is presented to the Audit 
for the Audit Committee and senior management that the internal Committee at each meeting for discussion and challenge; 


control framework is operating effectively. 


We focussed on the following sub risk: 


e This log is available on the ICON system, to allow recommendation 
owners to view their outstanding recommendations, and they are 


Purther details on responsibilities, approach and scope are included in reminded individually when updates are needed; 


APERM A, e The log shows the due date for implementation of recommendations, 
as well as a forecast due date if this is expected to be different. An 

1.3 Overall assessment accompanying explanation is provided for any re-forecast due dates; 

We have made an overall assessment of our findings as: e Implemented recommendations are recorded separately from ongoing 


recommendations to allow the Audit Committee to clearly focus on 
Overall assessment 


those which remain unactioned, but implemented recommendations 


We have identified matters which, if resolved, will help management fulfil do remain on the Register until the end of the financial year to which 
their responsibility to maintain a robust system of internal control. they relate: 
a 
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e A performance update is provided with the outstanding 
recommendations log to each Audit Committee meeting, giving 
oversight of the number of overdue recommendations; 

e We verified that all recommendations raised during 2013-14 had been 
included on the log of outstanding recommendations and cleared as 
appropriate; 

e We followed up on all seven recommendations recorded as being 
cleared on the March 2014 log reported to the Audit Committee. We 
confirmed that each had been appropriately addressed as reported. 


1.6 Acknowledgement 


We would like to take this opportunity to thank the staff involved in for 
their co-operation during this internal audit. 
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2 Detailed Findings 
2.1 Evidence of implementation 
di: Use of sub-contractors 
Finding and Implication Proposed action Agreed action (Date / Ownership) 
The Senior Corporate Governance Manager does not always Where appropriate, the Senior Corporate Agreed action: 
obtain evidence from recommendation owners of the actions Governance Manager should obtain evidence Wh ibl ifi id that fi 
taken to address the finding/risk exposure when updating the from recommendation owners that supports EIE POSPISIG SMECINC Seen a t 1al AN AGHO 


has been cleared will be saved on the electronic 
records management system to allow the 
clearance of the action to be confirmed at a later 
date. 


log. Oral assurances have been accepted. the assertions made that recommendations 
have been implemented. 


Where specific evidence is not available a 
written note will be saved confirming the reasons 
for the decision to clear the action. 


Date Effective: 
Immediately. 
Owner: 


Peter Bloomfield, Senior Corporate Governance 
Manager 
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Approach 

Our audit was carried out in accordance with the guidance contained 
within the Government’s Internal Audit Standards and the Auditing 
Practices Board’s “Guidance for Internal Auditors’. We also had regard to 
the Institute of Internal Auditors’ guidance on risk based internal auditing 
(2005). 


Our internal audit approach is based upon the underlying principles of the 
UK Corporate Governance Code (2010) together with the associated 
Turnbull Committee guidelines on internal control (2005) that require 
management to identify, assess and manage the risks that are significant to 
the achievement of the organisation’s overall business objectives. We will 
also have regard to the HM Treasury Management of Risk Guidance 
(2001). Our role as internal auditor is to provide objective and independent 
assurance to the Audit Committee and management that it is doing so 
successfully for each of the areas being audited. 


As part of our 2013-14 Audit Plan, we agreed with the Audit Committee 
and management that we should carry out a review of the [CO's 
arrangements for managing its follow up of audit recommendations to 
further inform our ongoing understanding of the ICO’s key internal 
control activities. 


The findings and conclusions from this review will support our annual 
opinion to the Audit Committee on the adequacy and effectiveness of 
internal control arrangements. 
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Scope 
Our review focused on the following risk: 


e The ICO's arrangements for following up audit recommendations may 
not be adequate resulting in recommendations not being completed on 
time and to a satisfactory standard, with the ICO remaining exposed to 
risks that are deemed to be unacceptable resulting in a lack of comfort 
for the Audit Committee and senior management that the internal 
control framework is operating effectively. 


Additional information 
Client staff 
The following staff were consulted as part of this review: 


e Peter Bloomfield — Senior Corporate Governance Manager 


Documents received 
The folowing documents were received during the course of this audit: 


e Audit Committee minutes and accompanying reports on outstanding 
audit recommendations 

e Evidence to support the sample of recommendations reported to the 
Audit Committee as implemented 
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B Definition of internal audit opinion and ratings 
Internal audit opinion 
Design effectiveness Opinion Operating effectiveness Rating 
We have not been able to form an opinion on whether the internal No opinion We have not been able to form an opinion on whether the internal controls No opinion 
controls examined have been designed to achieve the risk pin! examined were operating to provide reasonable assurance that the related pini 

aaa , can be given ieee : ‘ j : can be given 
management objectives required by management risk management objectives were achieved during the period under review 


Overall, we have concluded that, in the areas examined, the risk 
management activities and controls are suitably designed to achieve 
the risk management objectives required by management 


Overall, we have concluded that, except for the specific weaknesses 
identified by our audit, in the areas examined, the risk management 
activities and controls are suitably designed to achieve the risk 
management objectives required by management. 


Overall, we have concluded that, in the areas examined, the risk 
management activities and controls are not suitably designed to 
achieve the risk management objectives required by management. 


Audit issue rating 


Those activities and controls were operating with sufficient effectiveness to 
provide reasonable assurance that the related risk management objectives 
were achieved during the period under review 


Except for the controls listed below those activities and controls that we 
examined were operating with sufficient effectiveness to provide 
reasonable assurance that the related risk management objectives were 
achieved during the period under review. 


Those activities and controls that we examined were not operating with 
sufficient effectiveness to provide reasonable assurance that the related 
risk management objectives were achieved during the period under review 


Within each report, every audit issue is given a rating. The ratings are summarised in the table below. 


Rating Description Features 
Findings that are fundamental to the management of e Key control not designed or operating effectively 
risk in the business area, representing a weakness e Potential for fraud identified 
in control that requires the immediate attention of e Non compliance with key procedures / standards 
management e Non compliance with regulation 
e Impact is contained within the department and compensating controls would detect errors 
Important findings that are to be resolved by line e Possibility for fraud exists 
management. e Control failures identified but not in key controls 
e Non compliance with procedures / standards (but not resulting in key control failure) 
Findings that identify non-compliance with e Minor control weakness 
established procedures. e Minor non compliance with procedures / standards 
Items requiring no action but which may be of e Information for department management 
interest to management or best practice advice e Control operating but not necessarily in accordance with best practice 
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